OpenVPN
ssl_verify.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifndef SSL_VERIFY_H_
30 #define SSL_VERIFY_H_
31 
32 #include "syshead.h"
33 #include "misc.h"
34 #include "ssl_common.h"
35 
36 /* Include OpenSSL-specific code */
37 #ifdef ENABLE_CRYPTO_OPENSSL
38 #include "ssl_verify_openssl.h"
39 #endif
40 #ifdef ENABLE_CRYPTO_MBEDTLS
41 #include "ssl_verify_mbedtls.h"
42 #endif
43 
44 #include "ssl_verify_backend.h"
45 
46 /*
47  * Keep track of certificate hashes at various depths
48  */
49 
51 #define MAX_CERT_DEPTH 16
52 
54 struct cert_hash {
55  unsigned char sha256_hash[256/8];
56 };
57 
59 struct cert_hash_set {
60  struct cert_hash *ch[MAX_CERT_DEPTH];
61 };
62 
63 #define VERIFY_X509_NONE 0
64 #define VERIFY_X509_SUBJECT_DN 1
65 #define VERIFY_X509_SUBJECT_RDN 2
66 #define VERIFY_X509_SUBJECT_RDN_PREFIX 3
67 
69 {
73 };
74 
91 enum tls_auth_status
93 
109 #define TLS_AUTHENTICATED(multi, ks) ((ks)->state >= (S_GOT_KEY - (multi)->opt.server))
110 
118 
124 void cert_hash_free(struct cert_hash_set *chs);
125 
131 void tls_lock_cert_hash_set(struct tls_multi *multi);
132 
138 void tls_lock_common_name(struct tls_multi *multi);
139 
146 const char *tls_common_name(const struct tls_multi *multi, const bool null);
147 
154 const char *tls_username(const struct tls_multi *multi, const bool null);
155 
162 bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2);
163 
177 void verify_user_pass(struct user_pass *up, struct tls_multi *multi,
178  struct tls_session *session);
179 
189 void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session);
190 
192 {
193  const struct x509_track *next;
194  const char *name;
195 #define XT_FULL_CHAIN (1<<0)
196  unsigned int flags;
197  int nid;
198 };
199 
200 /*
201  * Certificate checking for verify_nsCertType
202  */
204 #define NS_CERT_CHECK_NONE (0)
205 
206 #define NS_CERT_CHECK_SERVER (1<<0)
207 
208 #define NS_CERT_CHECK_CLIENT (1<<1)
209 
211 #define OPENVPN_KU_REQUIRED (0xFFFF)
212 
213 /*
214  * TODO: document
215  */
216 #ifdef ENABLE_MANAGEMENT
217 bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason);
218 
219 #endif
220 
228 void auth_set_client_reason(struct tls_multi *multi, const char *client_reason);
229 
230 static inline const char *
232 {
233  return multi->client_reason;
234 }
235 
237 void tls_x509_clear_env(struct env_set *es);
238 
239 #endif /* SSL_VERIFY_H_ */
static const char * tls_client_reason(struct tls_multi *multi)
Definition: ssl_verify.h:231
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:566
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition: ssl_verify.c:219
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:137
Structure containing the hash for a single certificate.
Definition: ssl_verify.h:54
Structure containing the hashes for a full certificate chain.
Definition: ssl_verify.h:59
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:112
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition: ssl_verify.c:1703
bool tls_authenticate_key(struct tls_multi *multi, const unsigned int mda_key_id, const bool auth, const char *client_reason)
Definition: ssl_verify.c:1217
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes...
Definition: ssl_verify.c:1641
unsigned int flags
Definition: ssl_verify.h:196
#define MAX_CERT_DEPTH
Maximum certificate depth we will allow.
Definition: ssl_verify.h:51
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:833
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verify the given username and password, using either an external script, a plugin, or the management interface.
Definition: ssl_verify.c:1466
const struct x509_track * next
Definition: ssl_verify.h:193
char * client_reason
Definition: ssl_common.h:613
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:291
const char * name
Definition: ssl_verify.h:194
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:176
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition: ssl_verify.c:1135
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:454
Definition: misc.h:56
tls_auth_status
Definition: ssl_verify.h:68
void key_state_rm_auth_control_files(struct auth_deferred_status *ads)
Remove the given key state&#39;s auth deferred status auth control file, if it exists.
Definition: ssl_verify.c:982
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:233
unsigned char sha256_hash[256/8]
Definition: ssl_verify.h:55